------------------------
Amiga Virus Encyclopedia
CopyLock Virus
------------------------
Name : CopyLock
Aliases : No Aliases
Type : Bootblock
Size : 2048 bytes
Clones : No Clones
Symptoms : No Symptoms
Discovered : -
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2
1.3
2.0
Damage : Overwrites boot + block 2 & 3
Comments : If you are booting with a CopyLock-infected disk the
virus copies itself to adderss $7F400 and changes the
CoolCapture-Vector to stay resident. On the next reset
the with patches the DoIO()-Vector to infect other
disks.
Now Imagine you are inserting an unprotected disk with
e.g. the X-Copy boot block. Now, the virus does the
following:
1) Check for Write-Protection
2) Not protected: loads the bootblock form the current
disk (X-Copy-Boot) into address $7F800.
3) Saves 44 bytes from the original-bb in the own
viruscode and insert in this place a virus-loader
routine.
4) Then the virus cryptes itself with $DFF006 and
saves 2048 (!) bytes. (Original+Virus!).
Block 2,3 are now DAMAGED !! NO salvage possible.
If you are now booting with the infected disk the
virus-loader routine copies the virus from the block
2,3 in $7F400 and jumpes at $7F400. Then the virus
copies the modified original-bb into the address
$7F000 inserts the original code of the bb and
executes it.
The whole virus-bb is coded (See point 4). In the
decrypted virus you can read in the top of the boot
block:
"Copylock Amiga (c) Rob Northern. All rights "
"reserved."
In the end of the bootblock you can read:
"* YEP ROB NORTHERN ON THE BOARD ! MY COPYLOCKS"
"ARE FUCK. THE CRACKERS ARE BETTER THAN ME."
"THAT`S WHY I`M WRITING VIRUSES !!! (IN THE HOPE"
"THAT THEY ARE BETTER AS MY COPYLOCKS!) *"
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by : Safe Hex International
Ascii of Copylock virus (first 1024 bytes)
Ascii of Copylock virus (Full 2048 bytes)
Ascii of Copylock virus (Full 2048 bytes)
